Access Control

You can set access control using roles at the GCP project level.
Assign a role to a GCP project member or
service account to determine the level
of access to your Google Cloud Platform project and its resources.

You can use primitive roles when you are working on smaller projects that have
less complex needs. For more fine-tuned access controls, use Identity and Access
Management (IAM) roles, which include the App Engine predefined roles.
To learn more about IAM, see the IAM documentation.

Predefined App Engine roles

The predefined roles for App Engine provide you with finer grained
options for access control. Each role is listed with its targeted user, in the
following table. Use the comparison table
to view all role capabilities.

Role

Capabilities

Target User

App Engine Admin

Read/Write/Modify access to all application configuration and settings.

Application owner/administrator

On-call engineer

sysadmin

App Engine Service Admin

Read-only access to all application configuration and settings.

Write access to service-level and version-level settings, including traffic configuration.

Note: The App Engine Deployer role alone grants adequate permission to deploy using the Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Storage Admin role and Cloud Build Editor role.

See the deployments section below for more information about the required roles.

For details about the specific IAM permissions that are granted by each role,
see the Roles section of the
Admin API.

Deployments with predefined roles

The App Engine Deployer role is the recommended role for the user account that
is responsible for only deploying a new version of an app. The App Engine Admin
role is an alternative that includes additional administrative privileges,
including the ability to deploy versions.

With either role, a user account is granted adequate permission to use the
Admin API to deploy apps. To grant
permission to use the gcloud commands or other App Engine
tooling, you must also give the user account the Storage
Admin role and Cloud Build Editor
role.

Separation of deployment and traffic routing duties

Many organizations prefer to separate the task of deploying an application
version from the task of ramping up traffic to the newly created version, and to
have these tasks done by different job functions. The App Engine Deployer and
App Engine Service Admin roles provide this separation:

App Engine Deployer role - User accounts are limited to deploying new versions
and deleting old versions that are not serving traffic. The user account with
the App Engine Deployer role won’t be able to configure traffic to any version
nor change application-level settings such as dispatch rules or authentication
domain.

App Engine Service Admin role - User accounts cannot deploy a new version of
an app nor change application-level settings. However, those accounts have
privileges to change the properties of existing services and versions,
including changing which versions can serve traffic. The App Engine Service
Admin role is ideal for an Operations/IT department that handles ramping up
traffic to newly deployed versions.

Permissions the predefined roles do NOT grant

None of the predefined roles listed above grant access to the following:

Create App Engine applications.

View and download application logs.

View Monitoring charts in the GCP Console.

Enable and Disable billing.

Set up a daily Spending Limit (formerly known as Budget) for
App Engine and view dollar amount spent.

Service account for App Engine

After you create an App Engine application, the App Engine default
service account is created and used as the identity of the App Engine
service. The App Engine default service account is associated with your
GCP project and executes tasks on behalf of your apps running in
App Engine.

By default, the App Engine default service account has the Editor role
in the project. This means that any user account with sufficient permissions to
deploy changes to the GCP project can also run code with read/write
access to all resources within that project.

Warning: Deleting the App Engine default service account breaks any current
and future App Engine applications in your GCP project. For
example, your application will lose access to other GCP services
such as Cloud Datastore. If needed, you can restore a deleted default
service account.

Changing service account permissions

You can change the permissions for your service accounts in
GCP Console. For example, you can downgrade the permissions
used by the App Engine default service account by changing its role
from Editor to whichever role(s) that best represent the access needs for your
App Engine application.

To run Cloud SDK commands using a service account, including any of the
Cloud SDK development tools, you must first enable the Google App Engine Admin API in
your Google Cloud Platform project. Use the API Library in the GCP Console to
manage all of the APIs and Services in your GCP project: